Using yubikey to encrypt files.


We purchased several GPG/PGP compatible yubikey keys (ver 4).
But when used in windows (cleopatra client) we can only write the key on yubikey.
We cannot decrypt files / folders with the key on yubikey. Are there any windows programs with similar features?



That is surprising, yubikeys should be fully supported.

Are you sure that you are using the correct public key?

Yubico has sent me some test yubikeys which are currently in the mail. Once I get them I can test it and might know more. But other Gpg4win developers have tested it already and found no issues. Except that it might be problematic to switch between Yubikey apps. So if you are using yubikey also for something else there might be a conflict.

We have improved that in our current development version but that will be released earliest next spring.

Best Regards,

GPG support is present, the key is written on yubikey:

C: \ Users \ Alex> gpg --card-status
Reader …: Yubico Yubikey 4 CCID 0
Application ID …: D2760001240102010006070173010000
Version …: 2.1
Manufacturer …: Yubico
Serial number …: 07017301

Signature key …: 4E97 BF2D EB1E D965 A6B2 2CCD B7B4 A709 A38C BFCC
created …: 2019-07-22 09:19:16

But we do not have the ability to use certificates on yubikey to decrypt files / folders in Windows, only certificates in the program itself.
Also, there is no possibility to expand the file / folder if the only certificate is written on yubikey (there are no created certificates in the GPG client).


There is a problem using the mozilla thunderbird extension:
When storing a key on yubikey and sending an encrypted message, despite the smart card is configured to require a PIN each time the key is accessed on it, the PIN is not requested.
How can I make enigmail require a PIN every time I send a message?

2019-10-17 17_02_19-OpenPGP SmartCard Details.png

you could try to use the Explorer extension or Kleopatra from Gpg4win
to handle files, if Enigmail does not offer this directly.

If Thunderbird/Enigmail uses GnuPG a step to diagnose the problem
is to try the operations on the command line.
this way the effect of the frontend over the backend can be excluded.

I am not sure, but the gpg-agent may cache the pin, you could try to set the options to not cache it.



Thanks for the answer. But there is one more problem in enigmail for thunderbird:

After exporting the private key (gpg --key-edit ivanov >> cardtokey) to the yubikey smart card, it is not possible to decrypt messages with this key.

Error text:

Enigmail Security Information
Error - the corresponding private key needed for decryption was not found

Note: The message is encrypted for the following User IDs / Keys:
0x2DAFF4050A034472 (ivanov,
0x82FB0004118AE223 (petrov

Both keys (ivanov and petrov) are in the list of keys.

C: \ Users \ Alex> gpg --list-keys
C: /Users/Alex/AppData/Roaming/gnupg/pubring.kbx

pub rsa4096 2019-10-14 [SC] [expires: 2021-10-14]
uid [unknown] petrov
sub rsa4096 2019-10-14 [E] [expires on: 2021-10-14]

pub rsa4096 2019-10-14 [SC] [expires: 2021-10-14]
uid [absolutely] ivanov
sub rsa4096 2019-10-14 [E] [expires on: 2021-10-14]

The key 0x2DAFF4050A034472 (ivanov is recorded on the yubikey smart card.

C: \ Users \ Alex> gpg --card-status
Reader …: Yubico Yubikey 4 OTP U2F CCID 0
Application ID …: D2760001240102010006070173580000
Version …: 2.1
Manufacturer …: Yubico
Serial number …: 07017358
Name of cardholder: [not set]
Language prefs …: [not installed]
Sex …: not specified
URL of public key: [not set]
Login data …: [not installed]
Signature PIN …: not required
Key attributes …: rsa4096 rsa2048 rsa2048
Max PIN lengths.: 127 127 127
PIN retry counter: 3 0 3
Signature counter: 10
Signature key …: E0EF 5CC0 5A60 B345 C465 4317 0663 24D1 BE86 1FAB
created …: 2019-10-14 15:01:32
Encryption key …: [none]
Authentication key: [none]
General key info …: pub rsa4096 / 066324D1BE861FAB 2019-10-14 ivanov
sec> rsa4096 / 066324D1BE861FAB created: 2019-10-14 expires on: 2021-10-14
card number: 0006 07017358
ssb # rsa4096 / 2DAFF4050A034472 created: 2019-10-14 expires on: 2021-10-14

How is it possible to decrypt messages with a private key recorded on a yubikey smart card?

gpg should know where they key truly is, as it leaves a “stub” on the computer, instead of the real key, which is pushed to the smartcard (yubikey). Have you tried asking the Yubikey support?